Turkish Data Protection Board’s (“Board”) Decision Dated 18.09.2019 And Numbered 2019/271 Regarding Minimum Requirements That Should Be Included In The Data Breach Notification of the Data Controller to Data Subject (“Decision Numbered 2019/271”) Was Published On The Turkish Data Protection Authority’s (“Authority”) Website.


Pursuant to article 12, paragraph 5 of Turkish Data Protection Law numbered 6698, if the personal data that is processed is unlawfully acquired by third parties, then the data controller should notify the data subject and the Authority of this situation, immediately.


The Board, in one of its previous decisions dated 24.01.2019 and numbered 2019/10, stated that individuals affected by such data breach should properly be notified as soon as possible, either directly through individuals’ contact address if reachable, or by announcing the decision on the data controller’s website.


Within the scope of Decision numbered 2019/271, the Board emphasized that the purpose of such notification is creating an opportunity to swiftly avoid the negative outcomes that might rise from the breach and be borne on the data subjects or to minimize them. The minimum requirements that should be included in a data breach notification are stated as below:

  • When the breach occurred,
  • Which personal data among personal data categories is affected by the breach (by sorting personal data / sensitive personal data),
  • Probable consequences of personal data breach,
  • Measures taken or recommended to be taken to reduce negative effects of the data breach,

Communication channels such as name and contact information details of the contact persons who will provide information to data subjects regarding the breach, or full name of the data controller’s website, call centre etc.

Powered by themekiller.com